Email this article to a friend

OMB sets 2017 as deadline to move to dynamic cybersecurity

The Office of Management and Budget is giving agencies the playbook to move to a
dynamic, proactive cybersecurity environment after more than a decade of reacting
to threats and vulnerabilities.

More than a year after making continuous diagnostics and mitigation (CDM) the new
standard by which agencies should secure their systems, OMB issued a memo late Monday outlining specific deadlines they
must meet to implement what many believe is a better approach to cybersecurity.

The Homeland Security Department, which is leading the operations effort, issued a new policy calling
for agencies to move to CDM in June 2012. Since then, DHS and OMB have been
putting the pieces in place for agencies to move to dynamic cybersecurity on a
full-time basis.

"The requirement to manage information security risk on a continuous basis
includes the requirement to monitor the security controls in federal information
systems and the environments in which those systems operate on an ongoing basis-
one of six steps in the National Institute of Standards and Technology (NIST) Risk
Management Framework," wrote Sylvia Burwell, OMB director, in the memo to agency
heads. "This allows agencies to maintain ongoing awareness of information
security, vulnerabilities, and threats to support organizational risk management
decisions."

3 years to fully implementation

Burwell said agencies will undertake a phased approach to fully implement, what
now OMB is calling information security continuous monitoring (ISCM), instead of
continuous diagnostics and mitigation, by 2017. Many expected OMB to issue this
memo earlier in the fall, but Burwell pulled the memo back in late September
to clarify which systems will be continuously monitored.

In the memo, agencies are required to develop a ISCM strategy by Feb. 28,
addressing "all security controls selected and implemented by agencies, including
the frequency of and degree of rigor associated with the monitoring process."

An OMB official, speaking on background in order to be more candid about the
policy, said agencies should use the strategy to figure out the level of their
maturity across programmatic, technical and management controls.

The official said strategy also will help agencies determine which one of three
approaches they will take to implement ISCM:

Rely solely on internal capabilities

Rely solely on DHS

Partner with DHS

"The approach goes back to where each agency is technically and whether they
possess the capabilities with regards to cyber," the official said. "As we thought
about this, DHS provides services centrally and through standards across the
government. It would be more cost efficient and helpful to agencies who may not
have tools in house. Part of what agencies will realize as they complete the
foundational survey is whether they will need to or how much they will need to
work with DHS."

One cyber expert called the memo too process- and compliance-centric.

Robert Lentz, a former DoD official and now president of Cybersecurity Strategies,
said in an email, "I strongly believe this focuses on the wrong priority. While
this complicated mandate will force considerable resources to focus on 'hygiene'
issues the real problem is advanced persistent threats/Zero day vulnerabilities
that will cause much more serious problems. Finally, the only way to address this
hygiene/traditional approach is to achieve 'enterprise' procurement across the
government to drive down costs."

DHS is trying to address the enterprise procurement issue. In August, as part the
build up to ISCM, DHS awarded 17
vendors a spot on a $6 billion blanket-purchase agreement to provide CDM tools and
services.

The RFQ also stated the hardware- and software asset management needs to support
functions such as knowledge fusion, application whitelisting, database scanning,
Web application scanning and code review.

GSA and DHS say the tools and sensor will:

Simplify the security authorization process by helping to automate both
security assessments and authorization processes.